On May 12, 2026 Sergio Correia <[email protected]> wrote: > > AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED > and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This > allows a process with CAP_AUDIT_CONTROL to modify directory tree > watches and equivalence mappings even when the audit configuration > has been locked, undermining the purpose of the lock. > > Add AUDIT_LOCKED checks to both commands. > > Reviewed-by: Ricardo Robaina <[email protected]> > Assisted-by: Claude:claude-opus-4-6 > Signed-off-by: Sergio Correia <[email protected]> > --- > kernel/audit.c | 4 ++++ > 1 file changed, 4 insertions(+)
Merged into audit/stable-7.1 with the expectation of sending it up to Linus later this week, thanks! -- paul-moore.com
